(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 
International Bureau 

(43) International Publication Date 
20 November 2003 (20.11.2003) 




PCT 



(10) International Publication Number 

wo 03/096554 A2 



(51) International Patent Classification^: H04B 

(21) International Application Number: PCT/US03/15026 

(22) International Filing Date: 13 May 2003 (13.05.2003) 



(25) Filing Language: 

(26) Publication Language: 

(30) Priority Data: 

60/378,029 



English 
English 

13 May 2002 (13.05.2002) US 



(71) Applicant (for all designated Slates except US): THOM- 
SON LICENSING S.A. [FR/FR]; 46 Quai A. Le Gallo, 
F-92648 Boulogne (FR). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): WANG, Charles, 
Chuanming [US/US]; 1504 Spearmint Circle, Jamison, PA 
18929 (US). MODY, Sachin, Satish [IN/US]; 708 White 
Pine Circle, Lawrenceville, NJ 08648 (US). ZH ANG, Jun- 
biao [CNAJS]; 20 Jenna Drive, Bridgewater, NJ 08807 
(US). RAMASWAMY, Kumar [TN/US]; 71 Sayre Drive, 
Princeton, NJ 08540 (US). 



(74) Agents: TRIPOLI, Joseph, S. et al.; Thomson Licensing, 
Inc., 2 Independence Way, Suite 2, Princeton, NJ 08543 
(US). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA. BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU. 
CZ, DE, DK, DM, DZ, EC, EE, ES, H, GB, GD, GE, GH, 
GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NX, NO, NZ, OM, PH, PL, FT, RO, RU, SC, SD, 
SE, SG, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, 
UZ, VC, VN, YU, ZA, ZM, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ. BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE, 
ES, n, FR, GB, GR, HU, IE, FT, LU, MC, NL, PT, RO, 
SE, SI, SK, TR). OAPI patent (BF, BJ, CF. CG, CI, CM. 
GA, GN, GQ. GW, ML. MR, NE, SN, TD, TG). 

Published: 

— without international search report and to be republished 
upon receipt of that report 

For two-letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations" appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



(54) Title: SEAMLESS PUBLIC WIRELESS LOCAL AREA NETWORK USER AUTHEN'nCATION 



< 

in 
in 

ON 
O 




AUTHEKnCATrON SERVER 



PDA 



(57) Abstract: A public wireless LAN (11) permits receipt of non-authentication traffic, such as access information requests, from 
a mobile wireless communications device (121) prior to device authentication by partially opening a controlled port within an access 
point (181). The wireless LAN re -directs such non -authentication traffic received at the AP from the mobile wireless communi- 
cations to a local web server (21). The local web server provides reply to the mobile wireless conrmiuni cations device, enabling a 
determination by the device whether or not to request access. The device seeks access by way of an access request received at the AP. 
In response, the AP re-directs the access request through an uncontrolled port in the AP to an access server (26) that authenticates 
device. Upon successful device authentication, the AP fully opens its controlled port to permit the exchange of traffic through that 
port with the mobile wireless communications device. 
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5 SEAMLESS PUBLIC WIRELESS LOCAL AREA NETWORK USER 

AUTHENTICATION 

CROSS-REFERENCE TO RELATED APPLICATIONS 

10 This is a non-provisional application claiming the benefit under 35 U.S.C. § 1 19 of 

provisional application Serial No. 60/376,029, entifled "SEAMLESS PUBLIC A\aRELESS 
LOCAL AREA NETWORK USER AUTHENTICATION", filed on 13 MAY 2002, which is 
incorporated by reference herein. 

15 TECHNICAL FIELD 

This invention relates to a technique for authenticating a mobile wireless 
communications device in a public wireless Local Area Network (LAN). 

20 BACKGROUND ART 

Advances in the field of wireless LAN technology have resulted in the emergence of 
publicly accessible wireless LANs (e.g., "hot spots") at rest stops, cafes, libraries and sunilar 
public facilities. Presently, public wireless LANs offer mobile wireless communications 

25 device users access to a private data network, such as a Corporate Intranet, or a public data 
network such as the Internet. The relatively low cost to implement and operate a public 
wireless LAN, as well as the available high bandwidth (usually in excess of 10 
Megabits/second) makes the public wireless LAN an ideal access mechanism through which 
users can exchange packets with an external entity. 

30 When a user travels into a public wireless LAN coverage area, the public wireless 

LAN first authenticates and authorizes the user prior to granting network access. After 
authentication, the public wireless LAN Access Point (AP) opens a secure data channel to the 
mobile wireless communications device to protect the privacy of data exchanged with the 
device. Presently, many manufacturers of wireless LAN equipment have adopted the IEEE 

35 802. Ix protocol for deployed equipment. Hence, the predominant authentication mechanism 
for wireless LANs utilizes this standard. Unfortunately, the IEEE 802.1x protocol was 
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5 a safe authentication procedure, but such mechanisms do not permit setting of a Wired 

Equivalent Privacy (WEP) encryption key in the Web browser. Therefore, data transmitted 
over wireless LAN after authentication remains unprotected. 

Thus, there is need for an authentication process for use in a public wireless LAN 
environment that permits authentication in accordance with the IEEE 802. Ix protocol, thus 

10 protecting the privacy of exchanged data, while affording customized interaction mechanisms. 

BRIEF SUMMARY OF THE INVENTION 

Briefly, in accordance with a preferred embodiment of the present principles, tiiere is 
15 provided a method for authenticating the user of a mobile wireless conmiunications device in 
a public wireless LAN. The method commences upon receipt of a request received from a 
mobile wireless conununications device for non-authentication information, which can 
include access information, such as the cost of access. In response to such an information 
request, a controlled port in the public wireless LAN is partially opened to enable 
20 transmission of non-authentication (e.g., access) information request through the LAN to a 
first server that replies with the requested information. Assuming the user of the mobile 
wireless communications device fmds the access terms specified in the reply from the first 
server acceptable, the user then sends an access request to an authentication server with an 
authenticating credential. In response to the access request, the authentication server 
25 authenticates the user and notifies the public wkeless LAN to allow the use of wireless LAN 
services. Upon successful authentication, the public wireless LAN fully opens the controlled 
port to permit the exchange of data with the mobile wireless communications device through 
the controlled port. 

30 BRIEF DESCRIPTION OF THE DRAWINGS 

FIGURE 1 depicts a block schematic diagram of a conununications system for 
practicing the method of the present principles for authenticating the user of a mobile wireless 
communications device; and 
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5 FIGURE 2 depicts a timing chart depicting the sequence of events associated 

authenticating the user of the mobile wireless conmiunications device in the communications 
system of FIG. 1. 



6/14/05, EAST Version: 2. 0. 1.-4 



wo 03/096554 



PCT/US03/15026 



-4" 



5 DETAILED DESCRIPTION 



FIGURE 1 depicts a block schematic diagram of a communications network 10 that 
includes an access arrangement 1 1 for enabling at least one mobile conmiunication device, 
and preferably a plurality of mobile communication devices (e.g., mobile conmiunication 

10 devices 12i, and 122.) to securely access an external data source 14, which can take the form 
of a server within a network 15, such as a public data network (e.g., the Internet), or a private 
data network (e.g., a corporate intranet). In a preferred embodiment, the mobile 
conmiunication device 12i comprises a lap top computer that includes a wireless modem or 
wireless network access card, whereas the mobile communication device 122 comprises a 

15 Personal Data Assistant. The access arrangement 1 1 can also serve other types of mobile 
wireless communications devices (not shown). 

The access arrangement 1 1 of FIG. 1 includes at least one, and preferably, a plurality 
of access points (APs), best exemplified by APs I81-I84, via which the mobile wireless 
communication devices 12i and 122 can access a public wireless Local Area Network (LAN) 

20 20. Although shown separately, the APs I81-I84 comprise part of the public wireless LAN 
20. In the illustrated embodiment, each AP, such as AP I81, includes a wireless transceiver 
(not shown) for exchanging radio frequency signals with a radio transceiver (not shown) 
within each mobile wireless communication device. To this end, each of the APs I81-I84 
employs at least one well-known wireless data exchange protocol, such as the IEEE 802. Ix 

25 protocol. 

The access arrangement 1 1 also includes a server 21, in the form of a local web server 
that stores non-authentication information. Such non-authentication information can include 
access information, such as access terms and conditions, including the cost to the user. The 
local web server 21 enables a device user to obtain such non-authentication information 

30 without the need to establish an actual communications session with the public wireless LAN 
20 and thus undergo authentication. Although shown separately, the local web server 21 could 
reside within the public wireless LAN 20. 

A gateway 22 provides a communication path between the public wireless LAN 20 
and a packet data network (PDN) 24 that provides a link to the network 15. The PDN 24 thus 

35 permits communications between each mobile wireless communications device and the data 
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5 source 14. The PDN 24 also links the gateway 22 to an authentication server 26. In practice, 
the authentication server 26 takes the form of a database containing information about 
potential users to enable authentication of those seeking access to the v^ireless LAN 20, 
Rather than exist as a separate stand-alone entity, the authentication server 26 could reside 
within the public wireless LAN 20, Further, the PDN 24 provides a link between the public 
10 wireless LAN 20 and a billing agent (not shown) to facilitate billing device user for accessing 
the public wireless LAN. As with the authentication server 24, the functionality of the billing 
agent could reside within the public wireless LAN 20. 

In advance of actually establishing an actual authenticated conununications session 
with the public wireless LAN 20, a device user might wish to obtain certain non- 
15 authentication information, such as the terms and conditions of access, as well as the cost. 
Heretofore, the device user could not obtain such non-authentication information from a 
public wireless LAN whose access points (APs) employ the IEEE 802. Ix protocol without 
establishing an authenticated communications session. The access arrangement 1 1 of the 
present principles overcomes this disadvantage by enabling a limited connection with the 
20 public wireless LAN 20 to obtain non-authentication information, including access 
information, prior to actually establishing an authenticated communications session. 

FIG, 2 depicts the sequence of interactions that occurs over time among a mobile 
wireless communication device, say device 12i, the public wireless LAN 20, the local web 
server 21, and the authentication server 26 to achieve the desired secure access while 
25 permitting receipt of certain information without authentication. Referring to FIG. 2, prior to 
actually establishing an authenticated communications session, the user of the mobile wireless 
communications device 12i can obtain non-authentication information by first launching an 
HTTP information request during step 102. The information request is initially received at 
one of the APs, such as AP 18i of FIG. 1. When configured with the IEEE 802. Ix protocol, 
30 the AP 18i of FIG. 1 maintains a controlled port and an un-controUed port through which the 
AP exchanges information with the mobile wireless communications device 12i. The 
controlled port maintained by the AP 18i serves as the entryway for non-authentication 
information to pass through the AP between the public wireless LAN 20 and the mobile 
wireless communications device 12i. Ordinarily, the AP 18i keeps its contrpUed port closed 
35 in accordance with the IEEE 802. Ix protocol until authentication of the mobile wureless 
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5 conununications device. The AP 18i always maintains the uncontrolled port open to permit 
the mobile wireless communications device 12i to exchange authentication data with an 
authentication server, e.g., server 26. 

To permit the mobile wireless communications device I2i to obtain non-authentication 
information, and particularly, access information, without authentication in accordance with 

10 the present principles, the public wireless LAN 20 causes each AP, such as AP 18i of FIG. 1, 
to partially open its controlled access port after receiving a request for non-authentication 
information. Partially opening the controlled port in die AP 18i enables receipt of such a non- 
authentication iuformation request in the public wireless LAN 20 through the controlled port 
during step 104. Upon receipt of the information request, the public wireless LAN 20 

15 redirects the request to the local web server 21 during step 106. Regardless of the destination 
specified in the information request initially made during step 102, the public wireless LAN 

20 always directs the request to the web server 21 of FIG. 1 during step 106. The web server 

21 responds to the information request by providing the requested information, (e.g., the 
access terms and conditions as well as the domain name of the authenticating server 26) to the 

20 requesting mobile wireless conununications device 12i during step 108. Assuming the user of 
the device finds the terms and condition are acceptable (or the user has negotiated acceptable 
terms and conditions), the mobile wireless conmiunications device 12i transmits to the AP 18i 
an acceptance message during step 1 10. The acceptance message will identify the 
authentication server 26 by its name or URL. The mobile wireless device 12i will 

25 automatically transmit such an acceptance message if the access terms and conditions 

communicated by the web sever 21 match predefined access criteria stored in the device. In 
absence of such a match, the user might need to trigger the transmission of an acceptance 
message. 

Upon receiving the acceptance message, the AP 18i requests the mobile wireless 
30 conununications device 12i to identify itself during step 1 12, Assuming the wireless 

communication device 12i employs an Extensible Authentication Protocol (EAP) as is well 
known in the art, the AP 18i will seek identification of the device through an EAP identity 
request. In response to the EAP identity request, the mobile wireless communications device 
12t sends an EAP identity response to the AP 18i during step 114 for redirection and receipt 
35 at the authentication server 26 via the public wireless LAN 20 during step 116. 
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5 As part of the process of identifying the device, the public wireless LAN 20 typically 

checks whether the device user has a relationship with a billing agent serving the wireless 
LAN 20. If the user has a relationship, then the user need not do anything further as the 
billing agent will account for the access charges. In the absence of a relationship with a 
billing agent, the user will need to establish such a relationship. With the user's assent, the 

10 wireless LAN 20 can seek to dynamically establish such a relationship. 

Upon receipt of the EAP identity response, the AP 18i sends the EAP identity 
response to the authentication server 26 through the uncontrolled port during step 118. The 
authentication server 26 replies to the EAP identity response by directing an EAP 
authentication request to the AP ISj during step 120 for subsequent transmission via the AP 

15 IBi to the mobile wireless communications device 12i during step 122. The mobile wireless 
communications device 12i repUes during step 124 with an EAP authentication response that 
is received through the uncontrolled port in the AP ISi. In turn, the AP 18i forwards the EAP 
authentication response to the authentication server 26 diuing step 126. 

Upon successful authentication of the mobile wireless communications device 12i, the 

20 authentication server 26 generates an EAP authentication success message during step 128 for 
receipt in the AP 18i. In turn, the AP 18i sets an authentication key, typically a Wired 
Equivalent Privacy (WEP) encryption key, for transmission to the mobile wireless 
conmiunications device 12i during step 130. Lastly, the AP 18i fully opens its controlled port 
to permit an exchange of traffic with the mobile wireless communications device 12i through 

25 the controlled port. 

The foregoing describes a technique for authenticating a mobile wireless 
communications device in a public wireless LAN that affords the user of the device the 
opportunity to receive non-authentication information m advance of actually establishing a 
communications session with the public wireless LAN. 
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CLAIMS 

1 . A method for authenticating a mobile wireless communications device in a 
public wireless Local Area Network (LAN), comprising the steps of: 

receiving a request for non-authentication information; 

partially opening a controlled port through which the information request is directed to 
a first server that responds by providing a reply to the mobile wireless conmiunications 
device; 

receiving an access request; 

authenticating the mobile wireless communications device through an uncontrolled 
port; and 

fully opening the controlled port to enable the exchange of traffic with the mobile 
wireless conununications device through the controlled port. 

2. The method according to claim 1 wherein the request for non-authentication 
information is directed to the first server irrespective of a destination specified in the request. 

3. The method according to claim wherein authenticating step comprises the steps 

of: 

receiving an acceptance from the mobile wureless conununications device responsive 
to the reply to the mobile wireless conununications device; 

transmitting a user identification request to the mobile wireless conamunications 

device; 

receiving a user identification response from the mobile wireless communications 
device in reply to the user identification request; and 

re-directing the user identification response to an authentication server. 

4. The method according to claim 3 wherein the step of transmitting the user 
identification request comprises the step of transmitting an Extensible Authentication Protocol 
(BAP) request. 



6/14/05, EAST Version: 2.0.1.4 



wo 03/096554 



PCT/US03/15026 



-9- 

5. The method according to claim 4 wherein the step of receiving the user 
identification response comprises the step of receiving an BAP identification response. 

6. The method according to claim 1 further comprising the step of setting an 
authentication key following authentication. 

7. The method according to claim 6 wherein the step of setting an authentication 
key comprises the step of setting a Wired Equivalent Privacy (WEP) encryption key. 

8. A communications network for authenticating a mobile wireless 
communications device, comprising: 

a first server for storing non-authentication information; 

a second server for authenticating a mobile wireless communications device; 

at least one access point (AP) having (a) controlled port via which the AP partially 
opens in response to a receipt of a request for non-authentication information from a mobile 
wireless communications device and for directing the information request to the first server 
which sends a reply for receipt by the mobile wireless communications device, and (b) an 
uncontrolled port through which the AP dkects authentication traffic received from the mobile 
wireless communications device to the second server which exchanges authentication traffic 
with the mobile wireless communications device; 

a public wireless Local Area Network (LAN) coupled to the one AP and said first and 
second servers. 

9. The system according to claim 8 wherein the AP utilizes a communication 
protocol in conformance with EEEB 802. Ix. 

10. The system according to claim 8 wherein the information stored in the first 
server includes access costs. 
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5 11. The system according to claim 8 wherein the second server authenticates the 

mobile wireless communications device in accordance with an Extensible Authentication 
Protocol (EAP). 

12. The system according to claim 8 wherein the authentication traffic received at 
10 the one A? includes an identification of the authentication server. 

13. An access point (A?) comprising: 

(a) controlled port via which the partially opened in response to a receipt of a request 
* for non-authentication information from a mobile wireless communications device and for 

15 directing the information request to a first server which sends a reply for receipt by the mobile 
wireless communications device, and 

(b) an uncontrolled port through which the A? directs authentication traffic received 
from the mobile wireless communications device to a second server, which exchanges 
authentication traffic with the mobile wireless conmiunications device, 

20 

14. The system according to claim 13 wherein the AP utilizes a communication 
protocol in conformance with IEEE 802. Ix. 
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